LDAP KDB

Edward Murrell edward at dlconsulting.com
Tue Jan 23 17:36:56 EST 2007


Possibly wandering off topic here, but I feel it's worth mentioning;

Having used OpenLDAP and Kerberos, I must say that I wouldn't do this.
I can see why people would want to, but my experience with the two bits of
software has left me with a sour taste when it comes to OpenLDAP,
especially with regards to replication.

Granted, most of the problems seem to have been caused by either the BDB
backend on OpenLDAP, or my own damn fault (schema problems, improper
copies of replication data, flat out bad configuration, etc), but I have
actually yet to break MIT KRB5, despite the weird and wonderful setups I
have pushed through it, whereas OpenLDAP seems to fall over at the drop
of that hat (or worse yet, half falls over, and doesn't tell you). Maybe
I've done something wrong, but the fact that I've had to recreate my
LDAP database at least five times in the past two years has left me a
little hesitant about it.

In any case, I'd thought I'd put a note here. If you're planning a new
installation from scratch, using the KDB Kerberos in LDAP method...
Don't. In fact, while I'm on this topic, my recommendation is to set
things up in the following order;

DNS
Kerberos
LDAP (using Kerberos for authentication of replicas).

Regards
Edward Murrell

Ken Raeburn wrote:
> On Jan 22, 2007, at 4:39, Enrico M. V. Fasanelli wrote:
>   
>> Dear Kerberos/LDAP gurus
>>
>> I've seen that the 1.6 MIT release includes support for storing the  
>> database into an LDAP server.
>>
>> My apologies for the dummy question, but what are the advantages of  
>> putting the database into LDAP?
>>     
>
> Integration with other LDAP-based account administration, especially  
> if Kerberos is being added to an environment already using LDAP;  
> automatic and immediate synchronization between all KDCs and kadmin  
> servers and password-change servers as changes are made....
>
> Ken
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>   




More information about the Kerberos mailing list